The idea that this kind of workflow could be full of risk has been debated … since the CPAN days. If you pull in black box code without inspecting it, then you deserve the day you begged for.

…and if you chose a model that doesn’t allow for easy validation, that’s still on you.